Apache 2 no authentication from ips

Question

I have a deployment with apache 2.2.22 server behind varnish.

What I would like to accomplish is that password protect a directory with htpasswd but make this accessible for certain users coming from ips without authentication.

AuthType Basic
AuthName "test"
AuthUserFile /www/.htpasswd
Require valid-user
order deny,allow 
deny from all 

SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
Allow from env=AllowIP 
Satisfy any 

What I do right now is this, it is a workaround but it is working. If the X-Forwarded-For IP (the client) is 1.2.3.4 then let him watch the page without authentication.

The problem with this that it is insecure, the client can just set an X-Forwareded-For header and bypass authentication.

I have tried the Apache RPAF module:

<IfModule rpaf_module>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 varniship
</IfModule>

Which theoretically should restrict the X-Forwarded-For requests coming from the proxy, I'm not even sure that I need this module in this case since the proxy will always put the X-Forwarded-For client ip behind it's. So the req would look like:

X-Forwarded-For: <varniship>, clientip

Where the clientip can be manipulated by the client once again. Is there a better way to do this?

Answer 1

    <Directory "/var/www/html/docroot">
    AuthName "Restricted Access"
    AuthType Basic
    AuthUserFile /usr/local/.htpasswd
    Order allow,deny
    Allow from x.x.x.x
    Require  valid-user
    Options Indexes FollowSymLinks
    satisfy any
    </Directory>

This works like a charm for me though I'm on 2.4.10 and don't have an older one to test.

Answer 2

Alternatively you could do this also on Varnish vcl side:

    sub vcl_recv {
        # whitelist ip 10.10.10.10
        if (req.http.X-Forwarded-For ~ "^10\.10\.10\.10") {
           # where dXNlcjpwYXNzd29yZA== is user:password in base64
           set req.http.Authorization = "Basic dXNlcjpwYXNzd29yZA==";
        }
    }

Can be extended with other checks coming from request header.